1

I'm trying to get my head around the difference of how sessions are handled between GET and POST request.

In rails I'm setting a current_user with a session variable. This works fine for all get requests BUT when I do a POST it seems like the session variable is not carried over. This results in current_user = null

I guess these pictures explains it well.

Cookies on a working GET request - Working get request

Cookies on a NOT working POST request - enter image description here

  • Why is that?
  • Do I have to change the header in the angular2 request?
  • Is it a setting in rails to allow sessions with POST requests.

Here is some of my code...

Angular: Version 1 - Doesn't set my current_user

    postSomeData( id : number ){
        return this._http.post( "/api/something/" + id,
                  JSON.stringify("{id: id}") )
                  .map( response => response.json() )
    }

Angular: Version 2 - Doesn't set my current_user

postSomeData( id : number ){
   let headers = new Headers();
    headers.append('Content-Type', 'application/json');
    return this._http.post( 
    "/api/lists/private/translation/" + id, 
    JSON.stringify("{id: id}"), 
     { headers: headers, withCredentials: true } )
                .map( response => response.json() )
  }

Rails: ApplicationController

class ApplicationController < ActionController::Base
  protect_from_forgery with: :null_session
  def current_user
    @current_user ||= User.find(session[:user_id]) if session[:user_id]
  end
end
  • Rails 5.0.0.1
  • Angular 4.0.5
Rickard Dahlström
  • 91
  • 1
  • 9

2 Answers2

0

People usually do something like this in the ApplicationController or in a helper:

def set_user
  unless @current_user.present?
    @current_user = User.where(id: session[:user_id]).take || User.new
  end
end

Then you can query if the user has any relations or has an ID, etc...

Eelco
  • 111
  • 1
  • 7
  • Thanx for you answer but I don't think that would help me in this case. My problem is that session[:user_id] is null after my POST request so I don't get the user I want. I added two images in the description which explains my issue pretty well. – Rickard Dahlström Mar 13 '17 at 06:11
  • People first need to sign in in order to send the post requests right? – Eelco Mar 14 '17 at 10:52
  • Then in your ApplicationController add `before_action :set_user` so you always have a `@current_use` – Eelco Mar 14 '17 at 10:53
  • re: @Ealco I was actually prototyping so I had no login functionality. Does a user need to be login in order for a POST request to keep the session? – Rickard Dahlström Mar 23 '17 at 23:24
0

I faced the very same situation. Turned out that the problem is with the rails server, not angular.

When I make http post request the following statement shows in the logs and my session gets terminated.

WARNING: Can't verify CSRF token authenticity

I searched for this and the discussion on this thread did help me.

Adding the following line in my controller allowed me to make http post reqests.

skip_before_filter  :verify_authenticity_token
Arsal
  • 565
  • 2
  • 8
  • 17
  • That's a great insight. I ended up using cookies as a temporary solution back then. But I'll come back to this. Sounds like this is the solution I was looking for. – Rickard Dahlström Jul 16 '17 at 06:26
  • OH NO: Adding the skip before filter will leave you exposed to CSRF attacks. What you need to do is to enable your angular code to pick up the CSRF token from rails and to pass that along with your post request. Not sure how you can do that with agular, but perhaps you can pass in flags to your angular code? – BenKoshy Jan 27 '20 at 00:41